00001 <?php
00002 # This file is part of the Savane project
00003 # <http://gna.org/projects/savane/>
00004 #
00005 # $Id: title.php 4975 2005-11-15 17:25:35Z yeupou $
00006 #
00007 # Copyright 2005 (c) Mathieu Roy <yeupou--gnu.org>
00008 #
00009 # The Savane project is free software; you can redistribute it and/or
00010 # modify it under the terms of the GNU General Public License
00011 # as published by the Free Software Foundation; either version 2
00012 # of the License, or (at your option) any later version.
00013 #
00014 # The Savane project is distributed in the hope that it will be useful,
00015 # but WITHOUT ANY WARRANTY; without even the implied warranty of
00016 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
00017 # GNU General Public License for more details.
00018 #
00019 # You should have received a copy of the GNU General Public License
00020 # along with the Savane project; if not, write to the Free Software
00021 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
00022
00023
00024 # The point of this library is to reach the point where Savane will
00025 # no longer needs register globals set to on.
00026 #
00027 # This library will:
00028 # - do sanitization checks
00029 # - provide functions to access user input in a sane way
00030
00031
00032 ###########################################################
00033 # Sanitization checks
00034 ###########################################################
00035
00036 # Unset variables that users are not allowed to set in any cases
00037 unset($feedback_html);
00038
00039 # Catch recurrent globals like **_id and set give them global status with
00040 # sane_all.
00041 #
00042 # Page that calls register_globals_off() will actually get these
00043 # unregistered.
00044 # But it is not a big deal, these pages will have initialize this.
00045 # The point of doing this right now is to have these initialized cleanly
00046 # because they are used in include/pre.php
00047
00048 unset($user_id,
00049 $group_id,
00050 $group,
00051 $item_id,
00052 $forum_id,
00053 $msg_id,
00054 $export_id);
00055
00056 $user_id = sane_all("user_id");
00057 $group_id = sane_all("group_id");
00058 $group = sane_all("group");
00059 $item_id = sane_all("item_id");
00060 $forum_id = sane_all("forum_id");
00061 $msg_id = sane_all("msg_id");
00062 $export_id = sane_all("msg_id");
00063
00064 # Keep only numerical characters in the item_id
00065 # (Set both the global and the _REQUEST vars, because the global may be
00066 # unregistered by register_globals_off())
00067 if ($item_id && !ctype_digit($item_id))
00068 {
00069 preg_match("/(\d+)/", $item_id, $match);
00070 $item_id = $match[0];
00071 $_REQUEST["item_id"] = $match[0];
00072 }
00073
00074 # Keep only numerical characters in the export_id
00075 # (Set both the global and the _REQUEST vars, because the global may be
00076 # unregistered by register_globals_off())
00077 if ($export_id && !ctype_digit($export_id))
00078 {
00079 preg_match("/(\d+)/", $export_id, $match);
00080 $export_id = $match[0];
00081 $_REQUEST["export_id"] = $match[0];
00082 }
00083
00084
00085 # Keep only numerical characters in the group_id
00086 # (Set both the global and the _REQUEST vars, because the global may be
00087 # unregistered by register_globals_off())
00088 if ($group_id && !ctype_digit($group_id))
00089 {
00090 preg_match("/(\d+)/", $group_id, $match);
00091 $group_id = $match[0];
00092 $_REQUEST["group_id"] = $match[0];
00093 }
00094
00095 # Keep only numerical characters in the user_id
00096 # (Set both the global and the _REQUEST vars, because the global may be
00097 # unregistered by register_globals_off())
00098 if ($user_id && !ctype_digit($user_id) && !is_array($user_id))
00099 {
00100 preg_match("/(\d+)/", $user_id, $match);
00101 $user_id = $match[0];
00102 $_REQUEST["user_id"] = $match[0];
00103 }
00104
00105
00106
00107 ###########################################################
00108 # Functions to access user input
00109 ###########################################################
00110
00111 # Backward security function. This will sanitize input already passed via
00112 # register globals.
00113 #
00114 # In theory, this function should "disappear" from the code and be replaced by
00115 # sane_XXX functions.
00116 #
00117 # This function should be used whenever user input is used:
00118 # - get
00119 # - post
00120 # - cookies
00121 # This will escape the strings appropriately.
00122 function safeinput ($string)
00123 {
00124 # If magic_quotes is on, count on it to escape data
00125 if (get_magic_quotes_gpc())
00126 {
00127 return $string;
00128 }
00129
00130 return addslashes($string);
00131 }
00132
00133 # Function to obtain user input that come from undefined method.
00134 # This should be used only where user can legitimately send data by
00135 # different methods.
00136 # (this is why it is called sane_all, to avoid having it used everywhere)
00137 function sane_all($varname)
00138 {
00139 return safeinput($_REQUEST[$varname]);
00140 }
00141
00142 # Function to obtain user input submitted as url args
00143 # (like thispage.php?arg=userinput)
00144 function sane_get($varname)
00145 {
00146 return safeinput($_GET[$varname]);
00147 }
00148
00149 # Function to obtain user input submitted while posting a form
00150 function sane_post($varname)
00151 {
00152 return safeinput($_POST[$varname]);
00153 }
00154
00155 # Function to obtain user input submitted in a cookie
00156 function sane_cookie($varname)
00157 {
00158 return safeinput($_COOKIE[$varname]);
00159 }
00160
00161 # Function to unregister globals on a page: this will be helpful to
00162 # make pages compliant with register globals set to off one by one.
00163 function register_globals_off ()
00164 {
00165 foreach ($_REQUEST as $key => $value)
00166 {
00167 unset($GLOBALS[$key]);
00168 }
00169 }
00170
00171 ?>
